Risk Management

Action Plan

Risks Opportunities
  • Occurrence of business continuity risk or unexpected loss resulting from the malfunction of corporate governance or internal control, and others.
  • Improvement of transparency in decision-making, appropriate response to changes and establishment of a stable basis of growth enabled by the establishment of a firm governance system, and others.
Materiality SDGs Targets Issues to address Business area Commitment Specific approach Performance indicators Degree of Progress
Maintain rigorous governance structures
Icon
 Maintaining and reinforcing a governance system for achieving sustainable growth Risk management We will build a system for group risk management and maintain it to manage the risk of loss and ensure the appropriateness of our corporate group's operations. Conduct regular reviews of risk management systems that have been established, including internal committees and risk management departments, various rules andregulations, reporting and monitoring systems, as well as the effectiveness of such systems. Maintain a firm governance system in the medium- and long-term by establishing a PDCA cycle, including development and implementation of action plans by the departments responsible for risk management, and monitoring and reviews by internal committees.
  • Each functional department responsible for risk management has reviewed the state of progress of the action plans for the first half of FYE 2019. The Global Risk Management Division has compiled information on the risk management system—including handling of events that occurred within the relevant period—to the effect that it is functional. The Division reported this to the October 2018 Internal Control Committee, which has acknowledged the report.
  • Moreover, the Division plans to report to the same committee, when it is held in the first half of FYE 2020, concerning the review of the latter half of FYE 2019 and the FYE 2020 action plan.

Policy and Basic Concept

The ITOCHU Group is exposed to various risks due to its wide range of business natures, such as market, credit, and investment risks. These risks include unpredictable uncertainties and may have significant effects on the Group's future financial position and business performance.
We acknowledge risk management as a key management issue. Therefore, we have established our basic risk management policy and develop necessary risk management systems and techniques based on the concept of the COSO-ERM framework. Specifically, we have defined the following 18 risks as major risks* and are responding to them by building information management and monitoring systems at each department responsible for managing these risks on a consolidated basis. In addition, we periodically review the effectiveness of management systems through our internal committees. Moreover in accordance with the medium-term management plan, we conduct risk assessments across the company to reevaluate the risks we are currently aware of and identify risks comprehensively.

*Major Risks

  1. Compliance Risks
  2. Legal Risks (Excluding Compliance Risks)
  3. Risks Associated with Trade Security Policy Management
  4. Risks Associated with Customs
  5. Country Risks
  6. Commodity Price Risks (Specific, Important Product)
  7. Credit Risks
  8. Investment Risks
  9. Stock Price Risks
  10. Foreign Exchange Rate Risks
  11. Interest Rate Risks
  12. Financing Risks
  13. Information System Risks
  14. Information Security Risks
  15. Labor Management Risks
  16. Human Resources Risks
  17. Risks Associated with the Appropriateness of Financial Reporting
  18. Risks Associated with Internal Control

Structures and Systems

We established the Principal Internal Committee (Internal Control Committee, Disclosure Committee, ALM Committee, Compliance Committee, Sustainability Committee, Investment Consultative Committee) as the subordinate organization of HMC and has established and maintained a system to report and discuss individual projects and internal systems related to risks in various fields.

Overview of ITOCHU's Corporate Governance and Internal Control System

Business Investment

Fundamental Approach

Along with strategic business alliances, business investment is an important means of creating new businesses. Based on our strategic goals, we choose the optimal format from a range of methods, such as establishing a wholly owned subsidiary, implementing joint investment with partners, and participating in management through M&As. In principle, we hold assets with a goal of long-term investment. After making each investment, we work to maximize our corporate value and to expand trade and dividends received through the full utilization of our Groupwide capabilities. With larger-scale investments and increases in acquisition prices in recent years, we are rigorously screening the appropriateness of the business plan and acquisition price when we invest. For existing investments, to increase investment earnings and to exit quickly from low-efficiency assets, we are further strengthening monitoring procedures, centered on instituting more rigorous exit criteria and thoroughly implementing periodic investment review.

Decision-Making Process for New Investments

A multilayered decision-making process that achieves quick decision-making by giving a certain level of discretion to the Division Companies while striving to pursue investment return and curb investment risk.

[Fig]

Business Investment Process

Under "Brand-new Deal 2017," we achieved a 90% and higher share of Group companies reporting profits for the first time through a revision of exit standards and by upgrading business investment management. Through "Brand-new Deal 2020," we plan to build a strong earnings base with high risk tolerance and further improve the share of Group companies reporting profits by moving forward with our existing investment process, thoroughly inspecting the appropriateness of business plans, and conducting prioritized monitoring of sub-subsidiaries.

[Fig]
[Fig]

Efforts

Risk Management

Risk Capital Management

Risk Assets and Risk Buffer

[Graph]

We introduced Risk Capital Management in FYE 2000, when we were carrying large amounts of interest-bearing debt and inefficient assets, making far-reaching management reforms a matter of urgency. Since then, we have pressed forward with that spirit and understand risk quantitatively, and conduct control continuously and rigorously even now that our financial position has improved. Specifically, our basic operational policy involves first calculating risk assets based on the maximum amount of possible future losses from all assets on the balance sheet including investments and all off-balance-sheet transactions. Second, we manage the quantity of risk assets within the limits of our risk buffer (consolidated shareholders' equity + non-controlling interests). As we promote investment in new and next-generation technologies moving forward, we will work to maintain risk assets within the limits of our risk buffer, conduct strict risk management, and further strengthen our financial position.

Country Risk Management

The ITOCHU Group is actively expanding its business in countries and regions overseas and is therefore exposed to various country risks that arise as a result of political, economic, or societal circumstances in those countries and regions. Managing country risk is extremely important because negative factors, such as delay or inhibition of debt collection or operational implementation, can occur all at once and cause large losses.
To respond to these risks, we formulate appropriate risk countermeasures for each individual project and evaluate and analyze risk tolerance. We also establish Groupwide country risk management regulations from the standpoint of preventing excessive concentration of risk in specific countries or regions. Additionally, we work toward risk management by setting limits for each country that are based on internal country rating standards and maintain overall exposure at a level that is appropriate for the Group's financial strength.
Furthermore, we assign exposure limits to countries independent of deliberation processes concerning individual projects and conduct strict country risk management through measures such as not allowing related projects to proceed when country limits have not been assigned.
Additionally, we proactively work to reduce risk by formulating credit policies appropriate for each country according to need and stationing country risk management officials at each Division Company who collaborate with headquarters and manage risk for those Companies.

Security Risk Management

In the past, our computers were infected with malware (malicious software), resulting in an external leak of client information. We have since focused on countermeasures aimed at preventing this from reoccurring. We have strengthened these preventative countermeasures by expanding security infrastructure for monitoring and defense, drastically revising the structure of our cybersecurity countermeasures team (ITCCERT: ITOCHU Computer Emergency Readiness, Response & Recovery Team), and hiring expert advanced cybersecurity analysts.
We routinely collect the latest information regarding threats through analysis of system logs and malware and conduct preventative measures. Additionally, when accidents (incidents) do occur, we respond instantly by investigating their causes, discussing possible countermeasures, and restoring services. In FYE 2018, we established an exclusive space for ITCCERT within our IT Planning Division and are working to strengthen security countermeasures across the entire Group and develop security countermeasure personnel. We also dispatch analysts to Chiba University under cross-appointment contracts (mixed-wage systems) in an effort to train and develop the cybersecurity countermeasure technicians that society needs. There are few examples of user companies in Japan that are working as actively as we are to develop systems and respond to information security risk. We plan to proceed with initiatives supporting sustained growth moving forward.

We periodically tackle the efforts below to maintain and improve the information management structure for information security education.

  • We give training to all employees on measures against targeted e-mail attacks, a type of cyber-attack, twice a year.
  • We simultaneously hold information security courses through e-learning with all employees and group companies in Japan and overseas every three years.
  • We hold information security workshops and lectures for our group companies with ITCCERT serving as the lecturer several times a year.